CVE-2026-21721

HIGH

Grafana Dashboard Permissions API - Privilege Escalation

Title source: llm

Description

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-21721

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by Leonideath · poc

https://github.com/Leonideath/Exploit-LPE-CVE-2026-21721

View Code ZIP pw:eip

References (2)

[Various Sources] https://grafana.com/security/security-advisories/cve-2026-21721

[Various Sources] https://grafana.com/security/security-advisories/CVE-2026-21721

Scores

CVSS v3 8.1

EPSS 0.0001

EPSS Percentile 3.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-863

Status published

Products (17)

grafana/grafana 11.6.9

grafana/grafana 12.0.8

grafana/grafana 12.1.5

grafana/grafana 12.2.3

grafana/grafana 12.3.0

grafana/grafana 12.3.1

grafana/grafana 10.2.0 - 11.6.9

Grafana/grafana/grafana 10.2.0 - 11.6.9

Grafana/grafana/grafana 12.0.0 - 12.0.8

Grafana/grafana/grafana 12.1.0 - 12.1.5

... and 7 more

Published Jan 27, 2026

Tracked Since Feb 18, 2026